Draft Recommendation ITU-T X.1037 (X.ipv6-secguide) Technical security guideline on deploying IPv6 Summary The Internet protocol version 6 (IPv6) is intended to provide many built-in benefits such as large address space, mobility, and quality of service (QoS), because it is a new protocol and operates in some different ways than Internet protocol version 4 (IPv4), both foreseeable and unforeseeable security issues will arise. Many new functions or requirements of IPv6, i.e., automatic configuration of interfaces, mandatory Internet protocol security (IPSec), mandatory multicast, multiple Internet protocol (IP) addresses and many new rules for routing, can be abused for compromising computer systems or networks. Considering the above circumstances, Recommendation ITU-T X.1037 provides a set of technical security guides for telecommunication organizations to implement and deploy IPv6 environment. The content of this Recommendation focuses on how to securely deploy network facilities for telecommunication organizations and how to ensure security operations for the IPv6 environment. Keywords ???? - 2 - CONTENTS 1 Scope ............................................................................................................................. 3 2 References ..................................................................................................................... 3 3 Definitions .................................................................................................................... 4 3.1 Terms defined elsewhere ................................................................................ 4 3.2 Terms defined in this Recommendation ......................................................... 4 4 Abbreviations and acronyms .................................................................................... 4 5 Conventions .................................................................................................................. 6 6 Topology of IPv6 network ............................................................................................ 6 7 Network devices ........................................................................................................... 7 7.1 Router ............................................................................................................. 7 7.2 Switch ............................................................................................................. 9 7.3 Network address translation (NAT) router ..................................................... 9 8 End nodes (clients, load balancer) and servers ............................................................. 10 8.1 End nodes ....................................................................................................... 10 8.2 DHCP server ................................................................................................... 13 8.3 DNS server ..................................................................................................... 13 9 Security devices ............................................................................................................ 13 9.1 IDS .................................................................................................................. 13 9.2 Firewall ........................................................................................................... 14 Appendix I Practical examples of threats ............................................................................... 15 Appendix II IPv6 Promotion Council in Japan ....................................................................... 19 II.1 Background and objectives of IPv6 Promotion Council in Japan .................. 19 II.2 Aims of the Council ........................................................................................ 19 II.3 Security considerations for information ......................................................... 19 Appendix III Use case: IPv6 Technical Verification Consortium .......................................... 20 III.1 Objectives of the IPv6 Technical Verification Consortium in Japan ............. 20 III.2 Activities of the Consortium .......................................................................... 20 Bibliography............................................................................................................................. 21 - 3 - Draft Recommendation ITU-T X.1037 (X.ipv6-secguide) Technical security guideline on deploying IPv6 1 Scope Recommendation ITU-T X.1037 specifies security threats in the Internet protocol version 6 (IPv6) and provides a practical risk assessment of these threats and the technical solutions for a secure IPv6 deployment. This Recommendation focuses on three components: network devices (e.g., router, switch), server/client devices (e.g., end nodes, dynamic host configuration protocol (DHCP) server) and security devices (e.g., intrusion detection system (IDS), and firewall (FW)) that will be essentially deployed on IPv6 network. Recommendation ITU-T X.1037 provides a technical security guideline to developers of network products, security operators and managers of enterprise networks that are planning to deploy IPv6, so that they are able to mitigate security threats on their IPv6 network. 2 References The following ITU-T Recommendations and other references contain provisions which, through reference in this text, constitute provisions of this Recommendation. At the time of publication, the editions indicated were valid. All Recommendations and other references are subject to revision; users of this Recommendation are therefore encouraged to investigate the possibility of applying the most recent edition of the Recommendations and other references listed below. A list of the currently valid ITU-T Recommendations is regularly published. The reference to a document within this Recommendation does not give it, as a stand-alone document, the status of a Recommendation. [IEEE 802.1x] IEEE Starndard 802.1x (2010), Port Based Network Access Control. [IETF RFC 1981] IETF RFC 1981 (1996), Path MTU Discovery for IP version 6. [IETF RFC 2460] IETF RFC 2460 (1998), Internet Protocol, Version 6 (IPv6) Specification. [IETF RFC 2675] IETF RFC 2675 (1999), IPv6 Jumbograms. [IETF RFC 3315] IETF RFC 3315 (2003), Dynamic Host Configuration Protocol for IPv6 (DHCPv6). [IETF RFC 3627] IETF RFC 3627 (2003), Use of / 127 Prefix Length Between Routers Considered Harmful. [IETF RFC 3704] IETF RFC 3704 (2004), Ingress Filtering for Multihomed Networks. [IETF RFC 3810] IETF RFC 3810 (2004), Multicast Listener Discovery Version 2 (MLDv2) for IPv6. [IETF RFC 3971] IETF RFC 3971 (2005), SEcure Neighbor Discovery (SEND). [IETF RFC 4443] IETF RFC 4443 (2006), Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification. [IETF RFC 4552] IETF RFC 4552 (2006), Authentication/Confidentiality for OSPFv3. [IETF RFC 4604] IETF RFC 4604 (2006), Using Internet Group Management Protocol Version 3 (IGMPv3) and Multicast Listener Discovery Protocol Version 2 (MLDv2) for Source-Specific Multicast. - 4 - [IETF RFC 4884] IETF RFC 4884 (2007), Extended ICMP to Support Multi-Part Messages. [IETF RFC 4890] IETF RFC 4890 (2007), Recommendations for Filtering ICMPv6 Messages in Firewalls. [IETF RFC 5095] IETF RFC 5095 (2007), Deprecation of Type 0 Routing Headers in IPv6. [IETF RFC 5340] IETF RFC 5340 (2008), OSPF for IPv6. [IETF RFC 5722] IETF RFC 5722 (2009), Handling of Overlapping IPv6 Fragments. [IETF RFC 6105] IETF RFC 6105 (2011), IPv6 Router Advertisement Guard. [IETF RFC 6164] IETF RFC 6164 (2011), Using 127-bit IPv6 Prefixes on Inter-Router Links. [IETF RFC 6494] IETF RFC 6494 (2012), Certificate Profile and Certificate Management for SEcure Neighbor Discovery (SEND). [IETF RFC 6495] IETF RFC 6495 (2012), Subject Key Identifier (SKI) SEcure Neighbor Discovery (SEND) Name Type Fields. [IETF RFC 6845] IETF RFC 6845 (2013), OSPF Hybrid Broadcast and Point-to-Multipoint Interface Type. [IETF RFC 6860] IETF RFC 6860 (2013), Hiding Transit-Only Networks in OSPF. 3 Definitions 3.1 Terms defined elsewhere None. 3.2 Terms defined in this Recommendation This Recommendation defines the following terms: 3.2.1 abuse, abused, abusing: To use wrongly or improperly and to misuse. In the context of this Recommendation, “abusing” the IPv6 protocol or some feature of the protocol means to use it in ways that were unintended by the developers. 3.2.2 forged packet: A packet generated by an attacker, typically with illegitimate fields or entries that misuse the protocol format, in an attempt to violate network security by creating a denial-of-service (DoS) condition or attack situation. 4 Abbreviations and acronyms This Recommendation uses the following abbreviations and acronyms: AAAA Authentication, Authorization, Accounting, and Auditing AS Autonomous System DAD Duplicate Address Detection DDoS Distributed Denial-of-Service DHCP Dynamic Host Configuration Protocol DHCPv6 Dynamic Host Configuration Protocol version 6 DMZ DeMilitarized Zone - 5 - DNS Domain Name System DoS Denial-of-Service FDB Forwarding DataBase FW Firewall ICMP Internet Control Message Protocol ICMPv6 Internet Control Message Protocol version 6 ID Identifier IDS Intrusion Detection System IGMP Internet Group Management Protocol IPS Intrusion Prevention System IPSec Internet Protocol Security IPv4 Internet Protocol version 4 IPv6 Internet Protocol version 6 ISP Internet Service Provider ITS Intelligent Transportation
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages21 Page
-
File Size-